Pages

Thursday, March 26, 2015

Firewalls, Firewalls and More Firewalls

CIO: Jimmy, I was at a conference last week and the common theme at the
conference is that firewalls are a things of the past. Trends are suggesting that we should start
looking at a Next-Gen Firewall to replace what we have.

Engineer: Sir, we just added a UTM solution into our network a month ago???

CIO: I understand Jimmy. However, the
threat landscape is getting serious and I need to make sure that our network is
as secure as possible. I need some
recommendations for a Next-Gen Firewall by the end of the week.

The exchange above resonates of a situation that seems all too
common in the IT workspace these days. As
IT engineers, we tend to speak our own jargon of acronyms and catchy phrases. We’ve become so accustom to it that at times
we tend to forget our audience and just assume that everyone knows what it is
we’re talking about. It even happens
amongst ourselves from time to time. However,
the business side of the house usually has their own set of definitions for
things. Most of them fueled by third
party organizations like Gartner. In
this particular case of the misunderstanding pertaining to the firewall
discussion between the CIO and Engineer we are presented with an opportunity to
clear some of these misunderstandings about the firewall. Since a vast amount of upper management in
organizations tends to lend a significant amount of weight to Gartner’s Magic
Quadrant we’ll use their definitions to help compare and contrast what a Firewall, Next-Gen Firewall, and Unified Threat Management really are.

Firewall

“A firewall is an
application or an entire computer (e.g., an Internet gateway server) that
controls access to the network and monitors the flow of network traffic. A
firewall can screen and keep out unwanted network traffic and ward off outside
intrusion into a private network. This is particularly important when a local
network connects to the Internet. Firewalls have become critical applications
as use of the Internet has increased.” -Gartner
2013

According to Gartner a firewall is just an “application or an entire computer
that controls access to the network”.
While technically correct it lacks a good amount of clarity. When most IT engineers think of a firewall on
a network they don’t typically think of a software application or a desktop
PC/server as the device that is going to be used to control access in and out
of their network. What comes to mind (at
least mine) is a dedicated appliance that has a number of ASIC’s (Application
Specific Integrated Circuits) that are designed to process network traffic
while comparing it against definitive set of rules at Layer 3 and 4 of the OSI
model, stateful sessions, and provide some sort of NAT (Network Address
Translation). Sure, there are other services
that seem to be common on a lot of firewalls such as the various types of VPN
(Virtual Private Networking) technologies but the truth of the matter is that
not every firewall supports VPN technologies.
Similarly, IPS/IDS (Intrusion Prevention/Intrusion Detection Systems)
are also common services that are found on a number of firewalls and like VPN
there are a number of firewalls that do not support these technologies. So the question becomes, if these are
services that aren’t standard on a firewall and when added they enhance the
level of security that a firewall can provide couldn’t that make firewalls that
do provides these services a “Next-Generation”
firewall? After all, the definition of
the term “Next-Generation” according
to Dictionary.com is “pertaining to the
next generation in a family; also, pertaining to the next stage of development
or version of a product, service, or technology (Dictionary.com, 2014)” one could easily
deduce that having VPN and integrated IPS/IDS as part of a firewall would be
the next stage of development in the firewall family product line and thereby
should be a “Next-Generation Firewall”. Or so one would think but alas we would be
wrong in our assumption because Gartner has coined the Next-Generation Firewall phrase with a different meaning.

Next-Generation Firewall

“Next-generation
firewalls (NGFWs) are deep-packet inspection firewalls that move beyond
port/protocol inspection and blocking to add application-level inspection,
intrusion prevention, and bringing intelligence from outside the firewall. An
NGFW should not be confused with a stand-alone network intrusion prevention
system (IPS), which includes a commodity or nonenterprise firewall, or a
firewall and IPS in the same appliance that are not closely integrated.” -Gartner
2013

To me, this definition sounds a lot like what was just
discussed prior. However, there are a
couple of key requirements in this definition order for a firewall to be coined
“Next-Generation”. Application-level inspection being the first,
and bringing intelligence from outside the firewall being the second, are the
two additional requirements that Gartner has added to this definition in order
for one to coin their box as a “Next-Generation
Firewall”. So what is
application-level inspection? Simply put
it’s going to be the firewalls ability to classify traffic such as Facebook,
Outlook, Adobe Flash, etc. at the firewall level and write policies based on
these classifications. The next
requirement is quite vague because “bringing
intelligence from outside the firewall” could technically be any sort of
service not originating from inside the firewall. One could argue that a firewall downloading
IPS/IDS signatures could be considered “bringing
intelligence from outside the firewall”.
What I find troubling about this is that some time ago there was a
situation in which a particular vendor met all of Gartner’s requirements as per
the definition but wasn’t allowed to compete in the Magic Quadrant because the
product was already a leader in the UTM (Unified Threat Management) category
and exceeded the requirements of the Gartner definition (Tam, et al., 2012). There are, however, a number of other
products that exceed the required capabilities as per the definition, but these
products still appear in the Magic Quadrant.
For example, in the definition stated above there is no mention about
offering VPN services and yet there is a plethora of devices in the quadrant
that do.

When we look at this definition provided by Gartner for Unified Threat Management, there are a
few additional features that a UTM provides.
In addition to the requirements laid out for the Next-Generation Firewall, UTM provides VPN technologies, Web
filtering, Web antivirus, anti-spam, and e-mail AV. Let’s not forget that these services have to
be offered from on the same box.
However, you will note that there isn’t any mention made in regards to
the UTM having to bring any intelligence into the platform from an outside
source.

Conclusion

The waters have been
tremendously muddied thanks to third parties such as Gartner making up their
own definitions for these platforms. At
the end of the day, they’re all just firewalls.
Firewalls with enhanced feature sets.
Unfortunately, the reality is that because many key people tend to
follow Gartner quite religiously it becomes necessary to understand their
definitions as well as knowing how a manufacturer views their product in order
to try to ensure that there isn’t that communication breakdown.